HQ/EMEAFind out how we can help your business
A significant data breach linked to PrepHero, a college recruiting platform, has exposed the personal details of more than 3 million individuals, including student-athletes and their coaches.
An independent cybersecurity researcher made the discovery earlier this month, finding the unprotected and unencrypted database online.
The records, totalling approximately 135 gigabytes across 3,154,239 entries, were accessible without authentication, leaving users vulnerable to potential misuse.
PrepHero, operated by a Chicago-based company, provides services that allow high school athletes to build recruitment profiles and communicate with college coaches to pursue athletic scholarships.
The exposed database contained user data from this platform, including student-athletes’ names, phone numbers, email addresses, residential addresses, and passport details. Moreover, contact information for parents and coaches and unsecured files linked to passport image scans were also included.
In addition to personal data, the database featured a folder titled “mail cache,” which contained roughly 10 gigabytes of email communications from 2017 to 2025.
These messages included personalised web links to public pages displaying names, dates of birth, contact details, and compensation-related information. Some emails contained temporary passwords, further amplifying the privacy risks.
Audio recordings were also discovered within the database, featuring coaches identifying themselves and their colleagues while evaluating student-athletes’ performance, adding another layer of sensitive, personally identifiable content.
PrepHero assured the potentially affected parties that it had immediately secured the exposed details.
The company promptly secured the exposed database after the researcher reported the findings to PrepHero.
However, questions remain regarding whether PrepHero or a third-party vendor was directly responsible for managing the database and how long the sensitive information remained accessible online.
It is also unclear whether unauthorised individuals accessed the data before it was secured. Researchers noted the particular vulnerability of student-athletes in this context.
Many are minors or have limited credit histories, so their data is especially attractive to identity thieves. Exposed contact information could also be exploited in targeted phishing campaigns and social engineering attacks, potentially affecting students and coaches.
Therefore, individuals affiliated with PrepHero have been advised to remain vigilant against phishing attempts, implement MFA, use secure content management systems, and encrypt sensitive documents to mitigate or prevent the impact of similar breaches in the future.
